b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n   PROCESSING CAPACITY OF THE\nSOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\n     DURHAM SUPPORT CENTER\n\n   September 2009   A-14-09-19100\n\n\n\n\n   EVALUATION\n     REPORT\n\x0c                                                      Mis s io n\nBy c o n d u c tin g in d e p e n d e n t a n d o b je c tive a u d its , e va lu a tio n s a n d in ve s tig a tio n s ,\nwe in s p ire p u b lic c o n fid e n c e in th e in te g rity a n d s e c u rity o f S S A\xe2\x80\x99s p ro g ra m s a n d\no p e ra tio n s a n d p ro te c t th e m a g a in s t fra u d , wa s te a n d a b u s e . We p ro vid e tim e ly,\nu s e fu l a n d re lia b le in fo rm a tio n a n d a d vic e to Ad m in is tra tio n o ffic ia ls , Co n g re s s\na n d th e p u b lic .\n\n                                                    Au th o rity\nTh e In s p e c to r Ge n e ra l Ac t c re a te d in d e p e n d e n t a u d it a n d in ve s tig a tive u n its ,\nc a lle d th e Offic e o f In s p e c to r Ge n e ra l (OIG). Th e m is s io n o f th e OIG, a s s p e lle d\no u t in th e Ac t, is to :\n\n   \xef\x81\xad Co n d u c t a n d s u p e rvis e in d e p e n d e n t a n d o b je c tive a u d its a n d\n     in ve s tig a tio n s re la tin g to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad P ro m o te e c o n o m y, e ffe c tive n e s s , a n d e ffic ie n c y with in th e a g e n c y.\n   \xef\x81\xad P re ve n t a n d d e te c t fra u d , wa s te , a n d a b u s e in a g e n c y p ro g ra m s a n d\n     o p e ra tio n s .\n   \xef\x81\xad Re vie w a n d m a ke re c o m m e n d a tio n s re g a rd in g e xis tin g a n d p ro p o s e d\n     le g is la tio n a n d re g u la tio n s re la tin g to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad Ke e p th e a g e n c y h e a d a n d th e Co n g re s s fu lly a n d c u rre n tly in fo rm e d o f\n     p ro b le m s in a g e n c y p ro g ra m s a n d o p e ra tio n s .\n\n   To e n s u re o b je c tivity, th e IG Ac t e m p o we rs th e IG with :\n\n   \xef\x81\xad In d e p e n d e n c e to d e te rm in e wh a t re vie ws to p e rfo rm .\n   \xef\x81\xad Ac c e s s to a ll in fo rm a tio n n e c e s s a ry fo r th e re vie ws .\n   \xef\x81\xad Au th o rity to p u b lis h fin d in g s a n d re c o m m e n d a tio n s b a s e d o n th e re vie ws .\n\n                                                       Vis io n\nWe s trive fo r c o n tin u a l im p ro ve m e n t in S S A\xe2\x80\x99s p ro g ra m s , o p e ra tio n s a n d\nm a n a g e m e n t b y p ro a c tive ly s e e kin g n e w wa ys to p re ve n t a n d d e te r fra u d , wa s te\na n d a b u s e . We c o m m it to in te g rity a n d e xc e lle n c e b y s u p p o rtin g a n e n viro n m e n t\nth a t p ro vid e s a va lu a b le p u b lic s e rvic e wh ile e n c o u ra g in g e m p lo ye e d e ve lo p m e n t\na n d re te n tio n a n d fo s te rin g d ive rs ity a n d in n o va tio n .\n\x0c                                            SOCIAL SECURITY\nMEMORANDUM\n\nDate:   September 30, 2009                                                                          Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Processing Capacity of the Social Security Administration\xe2\x80\x99s Durham Support Center\n        (A-14-09-19100)\n\n\n        OBJECTIVE\n        Our objective was to review the plan, design, status, and data processing capacity of\n        the Social Security Administration\xe2\x80\x99s (SSA) Durham Support Center (DSC). This is one\n        in a series of reviews that will address the Agency\xe2\x80\x99s future processing needs. This\n        evaluation focused on SSA\xe2\x80\x99s strategic planning in the acquisition of the DSC.\n\n        BACKGROUND\n        The DSC is a critical element in SSA\xe2\x80\x99s Information Technology Operations Assurance\n        (ITOA) initiative. The purpose of the ITOA initiative is to mitigate inherent risks in the\n        Agency\xe2\x80\x99s disaster recovery (DR) strategy by eliminating single points of failure 1\n        associated with a single national computing facility\xe2\x80\x94the National Computer Center\n        (NCC). The ITOA project was intended to mitigate these risks by establishing a second\n        fully functional, co-processing data center. The project was initiated in response to\n        Agency vulnerabilities identified in a 2002 Lockheed Martin assessment of SSA\xe2\x80\x99s DR\n        plan. 2 The assessment concluded that no commercial vendor existed that could meet\n        the Agency\xe2\x80\x99s data processing needs in the event of a disaster that rendered the NCC\n        unavailable. It recommended that the Agency explore the feasibility of establishing an\n        SSA DR site or second data center as opposed to using a commercial DR vendor.\n\n        In 2005, SSA\xe2\x80\x99s Office of Facilities Management worked with the General Services\n        Administration (GSA) to acquire a second data center. SSA identified the following\n        specific requirements for the center:\n\n        \xe2\x80\xa2     68,200 square feet of space, 36,700 of which is for automated data processing;\n\n        1\n         A single point of failure is any part of a system that, if it fails, will stop the entire system from working.\n        They are undesirable in any system whose goal is high availability.\n        2\n            Lockheed Martin, Disaster Recovery Vendor Viability Report, December 27, 2002.\n\x0cPage 2 - The Commissioner\n\n\n\xe2\x80\xa2   acceptable distance from SSA Headquarters and inland; in a low-risk area for\n    natural disasters; not subject to severe climatic conditions; close to electrical utility\n    services that provide at least two separately fed utility substations for power; and\n    close to points of presence for both SSA telecommunications contract providers;\n\n\xe2\x80\xa2   multiple fundamental fire protection requirements;\n\n\xe2\x80\xa2   raised floor that is in accordance with industry standards and best practices; and\n\n\xe2\x80\xa2   meet Department of Justice, Office of Management and Budget, and Interagency\n    Security Committee (ISC) requirements for security.\n\nSSA took possession of the DSC in January 2009. Although initially referred to as the\nSecond Data Center, the DSC is actually a co-processing center as routine operations\nwill be divided between it and the NCC. Data from each data center will be backed up\nto the other data center on a continual basis. In a recent Office of the Inspector General\n(OIG) report, 3 we evaluated SSA\xe2\x80\x99s current DR posture and how it is impacted by the\nnew DSC. The report indicated that, while the DSC was not designed as a backup and\nrecovery center, in the case of a disaster at the NCC, the DSC will have the capability to\nhandle the Agency\xe2\x80\x99s information technology (IT) workloads associated with SSA\xe2\x80\x99s\nMission Essential Functions (MEF) 4 and Primary Mission Essential Functions (PMEF). 5\nLikewise, it is planned that the NCC will have the ability to handle the Agency\xe2\x80\x99s IT\nworkloads associated with the MEFs and PMEFs in the event of a disaster at the DSC.\nDuring a disaster, the functioning data center will eventually assume non-critical\nworkloads by expanding the existing infrastructure.\n\nTo perform our evaluation, we reviewed Federal directives, standards, and industry best\npractices. We also interviewed key SSA executives and personnel with oversight\nresponsibility for the acquisition process and conducted physical walkthroughs of the\nDSC facility. We performed field work at the DSC and SSA Headquarters in Baltimore,\nMaryland, from January through May 2009. See Appendix B for more information on\nour scope and methodology.\n\nRESULTS OF REVIEW\n\nBased on our observations and analysis of the project-level plans, designs, and current\nstatus of the DSC, SSA, with the assistance of GSA and other construction experts,\nappears to have successfully designed a co-processing center that incorporates a\n\n\n3\n SSA OIG, Quick Response Evaluation: Social Security Administration\xe2\x80\x99s Disaster Recovery Process\n(A-4-09-29139) Limited Distribution Report, June 2009.\n4\n MEFs are the limited set of department and agency-level Government functions that must be continued\nafter a disruption of normal activities.\n5\n  PMEFs are a subset of MEFs that directly support the eight functions the President and national\nleadership will focus on to lead and sustain the Nation during a catastrophic emergency.\n\x0cPage 3 - The Commissioner\n\n\nnumber of Tier III 6 level features and complies with industry security standards. 7\nAlthough the DSC was acquired to mitigate the DR risk of having only one data center,\nwe believe SSA should have optimized the use of the DSC for mitigating this risk by\nmore effectively planning for the processing needs of the Agency. We also identified\nproject delays and cost increases for which the Agency had not adequately planned.\nFinally, we noted other minor observations related to information security that should be\naddressed.\n\nStrategic Planning\n\nOur review of the DSC project-level planning documents and discussions with SSA\npersonnel indicated that although prior vendor and OIG reports questioned the ability of\nthird parties to provide DR services, the DSC was not considered an alternative DR\nlocation earlier than 2010. In the event of an NCC outage before the DSC is fully\noperational in 2012, the back-up and recovery strategy would continue to rely on a\nvendor hot site; 8 but the demand on the hot site would be reduced since some of the\nprocessing would be done at the DSC.\n\nEven though SSA took occupancy of the DSC in January 2009, the Agency\xe2\x80\x99s operations\nremain fundamentally reliant on a single, national computing facility\xe2\x80\x94the NCC. The age\nand infrastructure of the NCC suggest that even if a disaster does not occur, the\ndeficiencies of the facility place it at risk of an outage\xe2\x80\x94thus highlighting the need for\nSSA to have a comprehensive plan of action to ensure its information systems remain\noperational and the Agency can continue to provide services to the public.\n\nA prior OIG report 9 recommended a more integrated approach to SSA\xe2\x80\x99s IT strategic\nplanning. As early as March 2001, 10 we raised concerns about SSA\xe2\x80\x99s strategic planning\nfor IT. Effective strategic planning helps an agency set priorities and decide how best to\n\n\n\n\n6\n Tier III facilities have redundant capacity that allows for any planned site infrastructure maintenance and\nactivities without disrupting the computer hardware operation. All IT equipment is dual powered and has\nmultiple independent distribution paths.\n7\n The ISC, ISC Security Design Criteria For New Federal Office Buildings and Major Modernization\nProjects, September 29, 2004.\n8\n  A hot site is an alternate facility that is equipped with the computer, the telecommunications, information\ntechnology, environmental infrastructure, and personnel required to recover critical business functions or\ninformation systems in the event a disaster impacts the normal processing facility.\n9\n SSA OIG, Information Technology Capital Planning and Investment Control Process at the Social\nSecurity Administration (A-14-99-12004), March 30, 2001.\n10\n   Develop and use a risk model in the strategic planning process for all proposed IT projects. Selection\ncriteria should include weighing risk for cost, benefits, schedule, technical, etc.\n\x0cPage 4 - The Commissioner\n\n\ncoordinate activities to achieve its goals. 11 For example, a strategic plan identifies\ninterdependencies among project activities and helps ensure these interdependencies\nare understood and managed. With strategic planning, projects\xe2\x80\x94and thus system\nsolutions\xe2\x80\x94are effectively integrated agencywide.\n\nHad the Agency taken a more integrated approach to its IT strategic planning, the DSC\nmight have been given greater consideration as a part of the Agency\xe2\x80\x99s overall DR\nstrategy. In our recent report on SSA\xe2\x80\x99s DR process, 12 we suggested the Agency\naccelerate its plans for using the DSC given the current state of the NCC and the\nprocessing capacity limitations at the vendor hot site. The DSC has sufficient space\navailable for additional equipment and staff could be brought in to handle 100 percent of\nSSA\xe2\x80\x99s computing needs in the event the NCC becomes non-operational. Currently, the\nDSC may be able to function as an effective DR back-up site; however, the\neffectiveness and efficiency of the systems will not be fully tested until 2012.\n\nSSA has begun to address the DR shortcomings by working to have the DSC\noperational sooner. With full use of the DSC in 2012, the Agency anticipates meeting\nits DR objectives of restoring critical functions within 24 hours of a disaster, losing less\nthan 1 hour of data. Federal Continuity Directive (FCD) 1 13 mandates that all necessary\nand required communications and IT capabilities be operational as soon as possible\nfollowing continuity activation and in all cases within 12 hours of the activation.\n\nThe Agency is taking a phased approach to achieve full functionality at the DSC. SSA\nstated that the mainframes at the DSC were configured in May 2009, and that between\nApril and July 2009, the operating environments for two of its workloads\xe2\x80\x94electronic\nfolder and software engineering\xe2\x80\x94were transferred to the DSC. Since problems have\nsurfaced with the NCC, steps have been taken to ensure that the DSC will have the\nmainframe capacity to perform all critical NCC workloads by 2010, if needed. Although\nmainframe capacity will be available, additional equipment and data connections will still\nbe necessary for full utilization, which is expected in Fiscal Year (FY) 2012. The\nrecovery of the DSC\xe2\x80\x99s mainframes will be tested at the NCC in 2011, and the recovery\nof the NCC\xe2\x80\x99s mainframes could be tested at the DSC as early as 2012. In 2012, the\nAgency\xe2\x80\x99s goal is to have the DSC and NCC interface designed so that, in the event of a\ndisaster, the critical workloads of one can be assumed by the other within 24 hours.\nNon-critical workloads will be deferred until the impacted center is restored to full\noperations or the capacity of the unaffected center is expanded.\n\n\n11\n  Government Accountability Office (GAO) GAO-09-662T, Testimony Before the Subcommittee on Social\nSecurity, Committee on Ways and Means, House of Representatives: Social Security Administration,\nEffective Information Technology Management Essential For Data Center Initiative, Highlights page,\nApril 28, 2009.\n12\n  SSA OIG, Quick Response Evaluation: Social Security Administration\xe2\x80\x99s Disaster Recovery Process\n(A-14-09-29139) Limited Distribution Report, June 2009.\n13\n  FCD 1, Federal Executive Branch National Continuity Program and Requirements, Section 9.e.,\npage 9, February 2008.\n\x0cPage 5 - The Commissioner\n\n\nUntil the DSC can be used for DR purposes, a system outage resulting from a disaster\nat the NCC would effectively shut down operations across the organization for\napproximately 10 days, and only 34 percent of SSA\xe2\x80\x99s systems processing capacity\nwould be available after the systems are established at the DR vendor site.\nFurthermore, full restoration of systems capacity may be delayed for an additional\n10 days because, upon returning to the NCC, the Agency would again be faced with\nlimited service availability while SSA restores the systems and updates the files with all\nof the transactions processed at the vendor site.\n\nWe believe the Agency would be in a better DR posture had these issues been\naddressed in an integrated strategic planning process. Given the limitations of the\ncurrent DR scenario, plans to replace the NCC, and status of the DSC, the Agency\nplans to have an overall data processing strategy that considers a new NCC, the DSC,\nand a new DR plan by 2011. We recommend that the Agency complete the\ndevelopment of a comprehensive DR plan that considers the NCC, the project to\nreplace the NCC, and the viability of the DSC to maximize SSA\xe2\x80\x99s ability to continue\noperations. This DR plan should also take into account the short- and long-term\ninterdependencies of all these projects to devise a strategy that best positions SSA to\ncontinue operation. While we recognize the Agency is making a concerted effort to\nensure adequate preparation and testing before it relies on the DSC for its DR plan, we\nrecommend that SSA develop integrated strategic plans to expedite the use of the DSC\nas the NCC\xe2\x80\x99s DR site.\n\nDuring a recent review of Agency-level strategic IT planning, we noted that SSA\xe2\x80\x99s\ncurrent IT strategic plans are short-term, tactical plans that do not provide a detailed\ndescription of how the Agency intends to address its long-term IT processing needs. 14\nThe review identified a need for SSA to focus its efforts on strengthening its IT strategic\nplanning process and related documents.\n\nThe strategic plans should be comprehensive, transparent, 15 and integrated 16 with other\ncomponents and include possible constraints and challenges on all aspects of the\nproject. Specifically, as the Agency considers a new data center, the strategic plan\nshould include both IT and facilities.\n\n\n\n\n14\n  SSA OIG, Congressional Response Report: The Social Security Administration\xe2\x80\x99s Information\nTechnology Strategic Planning (A-44-09-29120), June 29, 2009.\n15\n     Transparency promotes accountability and provides information across the organizational components.\n16\n  Per Office Management and Budget (OMB) A-130, Section 8.a.1(e). Agencies should integrate\nplanning for IT with plans for resource allocation and use, including budgeting and acquisition.\n\x0cPage 6 - The Commissioner\n\n\nWe also believe SSA should fully document the goals of such projects. When we\nreviewed the OMB Exhibit 300 submissions, 17 SSA\xe2\x80\x99s OMB Exhibit 53 submissions, 18\nand the Information Technology Advisory Board (ITAB) documentation, 19 we found SSA\ndid not document the goals and resources for the structural building of the DSC as part\nof its IT project plan. According to the National Institute of Standards and Technology\n(NIST) Special Publication (SP) 800-53, security controls are applicable to those\nsections of the facility that protect the information system including its IT assets such as\nserver farms and data centers. 20 Since NIST has recognized a data center as an IT\nasset, SSA should also consider a data center as an IT asset to ensure it receives the\nappropriate attention.\n\nIn a 2007 OIG report, 21 we found SSA could have improved its IT plan by providing its\nstakeholders with a clear roadmap of how the Agency plans to reach its goals and\nobjectives. Since the DSC is a key component of the backbone of SSA\xe2\x80\x99s automated\noperations, the Agency needs to implement an integrated strategic plan. In the context\nof its strategic vision, it is important that the Agency identify goals, resources, and\ninterdependencies among the various components. Had the Agency included the\nfacilities objectives in its ITOA project plan, it may have better achieved its goals. For\nexample, facilities should have been included in the Agency\xe2\x80\x99s ITAB proposal for\nsystems functionality, strategic objectives, risks, dependencies, budget, and resources.\n\nProject Costs and Schedule Delays\n\nTo initiate the project, SSA submitted an original Reimbursable Work Authorization\n(RWA) in FY 2005 for $675,000 for an existing data center. After changes in\nconstruction options and building location, SSA ultimately submitted a total of\n$44.26 million in RWAs for the DSC. When the ITOA project was conceived, the\nAgency anticipated finding an existing data processing facility that could be quickly\nconverted for SSA use. When the market survey and solicitation exercise produced\nonly unused office space, in FY 2006, SSA submitted a subsequent RWA for\n$5.5 million for anticipated renovation costs. Because of potential toll road construction\nnear the proposed renovation site, plans changed to building a new facility. This\n\n17\n  An OMB Exhibit 300 is the capital asset plans and business cases submitted to OMB by executive\nagencies for IT investments.\n18\n  An OMB Exhibit 53 is the Agency IT Investment Portfolio submitted to OMB by executive agencies for\nIT investments. It is used to create an overall Federal IT Investment Portfolio published as part of the\nPresident\xe2\x80\x99s Budget.\n19\n  The ITAB addresses Agency IT issues and investments and prioritizes Agency IT workload. The ITAB\nhas a 2-year planning timeframe with annual and quarterly meetings. It is an ongoing process of\nevaluating current and new IT projects to ensure the projects fulfill SSA goals.\n20\n  NIST SP 800-53, Recommended Security Controls for Federal Information Systems, Revision 2,\nSection 3.3, page 18, December 2007.\n21\n  SSA OIG, The Social Security Administration\xe2\x80\x99s Information Resources Management Strategic Plan\n(A-14-07-27133), September 28, 2007.\n\x0cPage 7 - The Commissioner\n\n\nadjustment required additional funds, and the Agency submitted a FY 2007 RWA to\nGSA for $8.5 million. In late FY 2007, based on actual construction pricing, SSA\nreceived the first estimate from GSA that required two subsequent modifications to the\nRWAs totaling $44.26 million in outlays.\n\nIn addition, the Agency encountered a number of delays during the acquisition and\nconstruction of the DSC. We determined that it took 6 years, starting in December\n2002, for the Agency to plan, construct, and occupy the co-processing center. The\nAgency spent the first 26 months analyzing DR solutions, which did not take into\naccount all factors and alternatives. The Agency spent the following 14 months\nselecting a site and the last 32 months obtaining permits and constructing a new data\ncenter.\n\nIn May 2006, the DSC lease was awarded with an anticipated completion date of\nAugust 2007. In June 2006, GSA and SSA learned that the State was revisiting a\n1958 plan to build a toll road to reduce congestion, which would permit the State to\npurchase the site GSA had leased for SSA. To allow ITOA to move forward, SSA\nlocated an alternate site with occupancy no later than November 2007. In March 2007,\nDSC construction started with access to the DSC expected in May 2008. Additional\ndelays in material delivery schedules caused GSA and the lessor to revise the\nscheduled occupancy date to January 16, 2009. Despite delays in construction, SSA\nwas able to continue the planned IT activities not directly dependent on occupation of\nthe DSC\xe2\x80\x94the isolation and testing of the workloads scheduled to move to the DSC and\nthe testing and pre-configuring of equipment at the NCC.\n\nBetter IT investment management and planning could have ensured that SSA\nproceeded in a more timely fashion toward agreed-upon budget and milestones. For IT\ninvestment management, an agency should follow a portfolio-based approach in which\ninvestments are selected, controlled, and monitored from an agency-wide perspective. 22\nInvestment management is aimed at goals to avoid unnecessary delays and cost\noverruns. 23 For example, accurate cost estimating provides a sound basis for\nestablishing a baseline to formulate budgets and measure program performance. 24 Had\nSSA closely managed the establishment of a second data center as a single project\nincluding both IT and facilities, it may have avoided unnecessary delays and cost\noverruns, and could have projected a budget closer to the final cost.\n\nAlthough the DSC is more than 300 miles from the NCC, being located on the east\ncoast leaves the Agency susceptible to regional events. According to SSA, the Agency\nperformed a comprehensive site selection security review to assist in identifying a\npotential location for the DSC. However, in accordance with Federal Executive Branch\nNational Continuity Program and Requirements, Annex G, the Agency should have\n\n22\n     GAO-09-662T, supra at Highlights page.\n23\n     Id.\n24\n     Id.\n\x0cPage 8 - The Commissioner\n\n\nconducted an all-hazards risk assessment before deciding on a location. 25 This\nassessment must include identification of all hazards that may affect the facility; a\nvulnerability assessment that determines the effects of all hazards on the facility; a\ncost-benefit analysis of implementing risk mitigation, prevention, or control measures;\nand a formal analysis by management of acceptable risk. The site location selection\nsecurity review does not meet these FCD1 requirements.\n\nA prior OIG report 26 found that SSA could encounter longer delays in recovering its\nsystems should the Agency have to compete for hot site resources in the event of a\nregional or global disaster. These outages not only have a monetary impact, they also\ndamage the public trust in the Agency. SSA should have performed an all-hazards risk\nassessment that included the site location to ensure the Agency is protected from\nregional disaster events.\n\n\xe2\x80\x9cReviewing an organization\xe2\x80\x99s risks and risk management programs must take into\nconsideration additional factors such as the probabilities of events occurring, mission\npriorities, and impact assessments. Further, cost may also be a factor to consider,\nbecause informed decisions about acceptable and unacceptable levels of risk will\nultimately drive the expenditure of resources (i.e., money, people, and time) to mitigate\nrisk\xe2\x80\x9d. 27 Because organizations cannot afford to counter every threat to their mission,\nsuccessful continuity planning demands an intelligent analysis and prioritization of\nwhere and when to focus resources and to apply funding and other assets.\n\nBy requiring that an all-hazards risk assessment\xe2\x80\x94based on location\xe2\x80\x94be performed for\nany future buildings, SSA could ensure that its data centers are not susceptible to the\nsame regional event and also encounter fewer construction delays. Furthermore, a\ncost-benefit analysis will enable the Agency to implement proper measures for\npreventing or mitigating the identified risks.\n\nNCC Considerations\n\nIt should be noted that SSA\xe2\x80\x99s DSC construction was well underway before the 2008\nLockheed Martin report, 28 which detailed major concerns with the physical infrastructure\nof the NCC. Some of the concerns identified in the 2008 report had been identified as\nearly as 1989. 29 As a part of this review, we determined whether the infrastructure\nconcerns identified at the NCC were considered in the planning process. Although\n\n25\n     FCD 1, supra, Annex G, page G-3.\n26\n  SSA OIG, Quick Response Evaluation: Social Security Administration\xe2\x80\x99s Disaster Recovery Process\n(A-14-09-29139), June 2009.\n27\n     FCD 1, supra, Annex A, page A-2.\n28\n     Lockheed Martin, Final Feasibility Study, February 08, 2008.\n29\n  SSA OIG, Congressional Response Report: The Social Security Administration\xe2\x80\x99s Information\nTechnology Strategic Planning (A-44-09-29120), June 2009.\n\x0cPage 9 - The Commissioner\n\n\nthese concerns were not specifically considered as part of the planning process, the\nDSC was designed and constructed in a manner that minimizes the likelihood that the\nphysical concerns at the NCC will be repeated. For example, the Agency took steps to\nensure that\n\n\xe2\x80\xa2      there are no structural problems;\n\n\xe2\x80\xa2      there is adequate electrical distribution and backup power supplies; and\n\n\xe2\x80\xa2      the raised floor for cooling meets Tier III standards.\n\nThe building was designed to meet the specific criteria set forth in the requirements\nprovided to GSA. Furthermore, SSA built the co-processing center with consideration of\nthe data center\xe2\x80\x99s possible future growth. According to the Telecommunications Industry\nAssociation, a data center should be designed with plenty of flexible \xe2\x80\x9cwhite space\xe2\x80\x9d\xe2\x80\x94\nempty space that can accommodate future racks and cabinets. 30 SSA stated the DSC\nhas \xe2\x80\x9cwhite space\xe2\x80\x9d that will accommodate additional mainframes, tape silos, and other IT\nequipment. It also has space and infrastructure to allow for additional cooling\nequipment, uninterruptible power supply, and generator power.\n\nDuring a recent audit, the Agency advised us that the new data center had to be located\nwithin 40 miles of the existing data center to facilitate the transfer of the tightly\nintegrated workloads. Because of the interdependence of the workloads involved,\nSSA\xe2\x80\x99s initial data transfer from the NCC to the new data center is unique. The Agency\nplans to use special software to mitigate the risks of the transfer of these tightly\nintegrated workloads and interdependent systems.\n\nCurrently, in the event of a disaster at the NCC, SSA would use back-up tapes stored at\nan off-site storage facility to restore the NCC workloads at the DSC. As of 2010, the\nAgency plans to recover the NCC data at the DSC and test its ability to restore and\nrecover NCC workloads comparable to the current vendor facility recovery methodology\nand timeframes. The Agency\xe2\x80\x99s goals under the ITOA project are to have the systems\noperating within 24 hours of a disaster with a loss of only 1 hour. In 2012, SSA expects\nrecovery of NCC critical workloads at the DSC within 24 hours with a 1-hour acceptable\nloss of data.\n\nPhysical Security Plans\n\nAccording to NIST SP 800-34, 31 every building should have emergency instructions and\nOccupant Emergency Plans (OEP) manuals. Furthermore, SSA\xe2\x80\x99s Administrative\n\n\n30\n     Telecommunications Industry Association (TIA), TIA-942 Data Center Standards Overview, April 2005.\n31\n   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems, Section 2.2, Types\nof Plans, pages 7-11, June 2002.\n\x0cPage 10 - The Commissioner\n\n\nInstruction Manual System (AIMS) requires that field locations 32 develop and approve a\nPhysical Security Action Plan (PSAP) and OEP within 45 days of occupancy for all new\noffices and relocations. 33 The Agency has identified the DSC as a Headquarters facility\nsince it, along with the NCC, form a dual data processing center scenario\xe2\x80\x94the\nmanagement and staff are split between the two locations. At the time of the our site\nvisit in February 2009, the Agency had not completed the emergency documentation for\nthe DSC citing that the facility had no production environment and was not considered\ncomplete. In June 2009, a physical security review was performed. The DSC continues\nto pursue the development of the OEP.\n\nIn January 2009, the Agency took occupancy, and in May 2009, production systems\nbegan operating out of the DSC. While the Agency does not have a policy covering\nPSAP or OEP development for Headquarters facilities and considering the critical\nnature of the DSC, the Agency should have completed an OEP and PSAP in a manner\nat least consistent with the AIMS policy for field administration.\n\nThe lack of an OEP and PSAP impairs the Agency\xe2\x80\x99s ability to prevent injury, save lives,\nand protect Federal assets. SSA employees, visitors, facilities, records, and equipment\nmay not be adequately protected. Prompt coordinated steps may not be taken to obtain\nassistance when needed, as employees may not be aware of proper protective and\nemergency procedures. Therefore, we recommend that SSA develop a policy to ensure\nemergency instructions and plans, such as the PSAP and OEP, are completed for\nHeadquarters facilities within at least the same time frame as required by the AIMS field\nadministration policy. SSA should also complete the OEP and the PSAP for the DSC.\n\nInformation Security\n\nWe identified minor information security concerns that SSA should address and ensure\nare considered as an integral part of future planning, design, and construction of new\nbuildings and major modernization projects. 34\n\nPhysical security is defined as the protection of building sites and equipment (and all\ninformation and software contained therein) from theft, vandalism, natural disaster,\nmanmade catastrophes, and accidental damage. It requires solid building construction,\nsuitable emergency preparedness, reliable power supplies, adequate climate control,\n\n\n\n32\n   SSA AIMS 12.06.02 indicates that the requirement for establishing and maintaining a PSAP and OEP\napplies to regional offices; program service centers; data operations centers; teleservice centers; field\noffices; the Office of Disability Adjudication and Review in Falls Church, Virginia, and its hearings offices;\nand the Office of Quality Performance regional and satellite offices.\n33\n     SSA, AIMS, General Administration Manual, Chapter 12, Field Administration, Section 12.06.03.\n34\n  ISC, ISC Security Design Criteria for New Federal Office Buildings and Major Modernization Projects,\npage 2, September 29, 2004.\n\x0cPage 11 - The Commissioner\n\n\nand appropriate protection from intruders. 35 Agency facilities shall meet the minimum\nrequirements listed in the ISC Security Standards for new Federal office buildings. 36\nDuring our visit to the DSC, we found vulnerabilities based on ISC standards and SSA\xe2\x80\x99s\npolicy. We recommend that SSA management assess and appropriately address the\nsecurity weaknesses identified in this review to ensure Agency compliance with\napplicable ISC standards 37 and SSA policy. 38\n\n(We have separately provided management with details on each of the specific security\nweaknesses noted in our review, including individual recommendations for addressing\nthem.)\n\nCONCLUSION AND RECOMMENDATIONS\nDespite the challenges to the project, SSA appears to have successfully designed a\nco-processing center that incorporates a number of Tier III level features and meets\nindustry security standards. The Agency not only considered future processing needs\nof the center, such as \xe2\x80\x9cwhite space,\xe2\x80\x9d it designed and constructed the DSC in a manner\nthat minimizes the likelihood that the physical concerns at the NCC will be repeated.\nWhile SSA performed some IT planning, the Agency could have benefited had more\nintegrated strategic planning been performed. Given the significance of the Agency\xe2\x80\x99s\ncurrent efforts to build a new NCC, we believe SSA should learn from its experience\nwith the DSC and take the necessary steps to ensure proper planning to mitigate project\ndelays and cost increases. Specifically, SSA should:\n\n1. Accelerate the use of the DSC as a fully functioning data center\xe2\x80\x94with particular\n   emphasis on using the DSC as the DR site for the NCC.\n\n2. Develop a comprehensive, long-range IT strategic plan that (i) is transparent and\n   integrated within other SSA components, (ii) includes possible constraints and\n   challenges on all aspects of IT projects, and (iii) conforms to the Agency\xe2\x80\x99s strategic\n   plan. This applies to the Agency-level and project-level strategic plans.\n\n3. Formally document the Agency's plan to accelerate the use of the DSC as part of\n   SSA's overall DR plan and continually update the DR plan as the DSC and NCC\n   replacement become fully functional. The updated DR plan should consider the\n   viability of the DSC to maximize SSA\xe2\x80\x99s ability to continue operations in the current\n   NCC, as well as during the transition to its replacement.\n\n35\n SysAdmin, Audit, Network, Security Institute, Data Center Physical Security Checklist, page 2,\nDecember 1, 2001.\n36\n  ISC, ISC Security Design Criteria For New Federal Office Buildings and Major Modernization Projects,\npage 3, September 29, 2004.\n37\n  ISC, ISC Security Design Criteria For New Federal Office Buildings and Major Modernization Projects,\nSeptember 29, 2004.\n38\n     SSA, AIMS, General Administration Manual, Chapter 12, Field Administration.\n\x0cPage 12 - The Commissioner\n\n\n4. Develop a policy to ensure that emergency instructions and plans, such as the\n   PSAP and OEP, are completed for Headquarters facilities within at least the same\n   time frame as required by the AIMS Field Administration policy and complete the\n   OEP and PSAP for the DSC.\n\nFor future IT investments, SSA should better manage control of the projects.\nSpecifically, SSA should:\n\n5. Monitor actual performance compared to expected results to ensure projects meet\n   agreed-upon budget and milestones.\n\n6. Ensure a risk assessment is undertaken to identify environmental risks associated\n   with the site location of new structures (that is, flood plain, hurricane, tornado).\n\nWith the particular security weaknesses identified in this review, we recommend SSA:\n\n7. Assess and appropriately address the security weaknesses identified in this review\n   to ensure Agency compliance with applicable ISC standards and SSA policy.\n\nAGENCY COMMENTS\n\nSSA agreed with our recommendations (see Appendix C).\n\n\n\n\n                                            Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                        Appendix A\n\nAcronyms\n\nADRE   Accelerated Disaster Recovery Environment\nAIMS   Administrative Instructions Manual System\nCCTV   Closed Circuit Television\nCIO    Chief Information Officer\nDR     Disaster Recovery\nDSC    Durham Support Center\nFCD    Federal Continuity Directive\nFY     Fiscal Year\nGSA    General Services Administration\nISC    Interagency Security Committee\nIT     Information Technology\nITAB   Information Technology Advisory Board\nITOA   Information Technology Operations Assurance\nMEF    Mission Essential Function\nNCC    National Computer Center\nNIST   National Institute of Standards and Technology\nOEP    Occupant Emergency Plan\nOIG    Office of the Inspector General\nOMB    Office of Management and Budget\nPMEF   Primary Mission Essential Function\nPSAP   Physical Security Action Plan\nRWA    Reimbursable Work Authorization\nSP     Special Publication\nSSA    Social Security Administration\n\x0c                                                                       Appendix B\n\nScope and Methodology\nOur objective was to review the plan, design, status, and data processing capacity of\nthe Social Security Administration\xe2\x80\x99s (SSA) Durham Support Center (DSC). This is one\nin a series of reviews that will address the Agency\xe2\x80\x99s future processing needs. This\nevaluation will focus on the strategic planning involved in the acquisition of the DSC.\nTo meet our objective, we examined Federal directives, standards, and best practices.\nSpecifically, we examined:\n\n\xe2\x80\xa2   Federal Continuity Directive 1, Federal Executive Branch National Continuity\n    Program and Requirements, February 2008.\n\n\xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130, Management of Federal\n    Information Resources.\n\n\xe2\x80\xa2   National Institute of Standards and Technology (NIST) Special Publication (SP) 800-\n    53, Revision 2, Recommended Security Controls for Federal Information Systems,\n    December 2007.\n\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems,\n    Section 2.2, Types of Plans, pages 7-11, June 2002.\n\n\xe2\x80\xa2   NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information\n    Systems, July 2008.\n\n\xe2\x80\xa2   Interagency Security Committee (ISC), ISC Security Design Criteria for New Federal\n    Office Buildings and Major Modernization Projects, September 29, 2004.\n\n\xe2\x80\xa2   Government Accountability Office (GAO) GAO-09-662T, Testimony Before the\n    Subcommittee on Social Security, Committee on Ways and Means, House of\n    Representatives: Social Security Administration, Effective Information Technology\n    Management Essential For Data Center Initiative, April 28, 2009.\n\n\xe2\x80\xa2   SysAdmin, Audit, Network, Security Institute, Data Center Physical Security\n    Checklist, December 1, 2001.\n\n\xe2\x80\xa2   Telecommunications Industry Association, TIA-942 Data Center Standards\n    Overview, April 2005.\n\n\xe2\x80\xa2   Uptime Institute, Tier Classifications Define Site Infrastructure Performance, 2008.\n\n\n\n\n                                            B-1\n\x0cWe also reviewed the following:\n\n\xe2\x80\xa2   SSA\xe2\x80\x99s Administrative Instructions Manual System Chapter 12, Field Administration.\n\xe2\x80\xa2   SSA documents such as Commissioner presentations, project schedules,\n    Reimbursable Work Authorizations, the Solicitation for Offers, requirements for the\n    DSC, OMB Exhibit 300 submissions, and OMB Exhibit 53 budget submissions.\n\xe2\x80\xa2   Lockheed Martin\xe2\x80\x99s Disaster Recovery Vendor Viability Report, December 27, 2002.\n\xe2\x80\xa2   Lockheed Martin\xe2\x80\x99s Final Feasibility Study, February 08, 2008.\n\nWe interviewed representatives from the following SSA components.\n\n\xe2\x80\xa2   The Office of the Chief Information Officer is responsible for capital planning and\n    investment control, security policy, enterprise architecture, E-Government, and the\n    Information Resources Management Strategic Plan.\n\xe2\x80\xa2   The Office of Budget, Finance and Management provides (i) a comprehensive\n    financial program of budget policy, formulation, and execution; (ii) accounting policy\n    and operations; (iii) the Agency\xe2\x80\x99s acquisition and grants program, internal control\n    program, and audit resolution and liaison; (iv) Agency-wide facilities, publications,\n    and logistics management programs; (v) the Agency strategic planning, data\n    matching, and information exchange; and (vi) the information systems security\n    programs.\n\xe2\x80\xa2   The Office of Systems (i) directs the conduct of systems and operational integration\n    and strategic planning processes, (ii) directs the implementation of a comprehensive\n    systems configuration management, database management, and data\n    administration program; (iii) initiates software and hardware acquisition for SSA and\n    oversees software and hardware acquisition procedures, policies, and activities;\n    (iv) directs the development of operational and program specifications for new and\n    modified systems; and (v) oversees development, validation and implementation\n    phases. Specifically, we interviewed staff from the Office of Enterprise Support,\n    Architecture and Engineering; Office of Systems Electronic Services; Office of\n    Telecommunications and Systems Operations; the Information Technology\n    Operations Assurance project officer; and DSC staff.\n\nWe performed our field work at SSA Headquarters and the DSC from January through\nMay 2009. We determined the criteria used in this review were sufficiently reliable to\nmeet our objectives. We conducted our review in accordance with the President\xe2\x80\x99s\nCouncil on Integrity and Efficiency\xe2\x80\x99s Quality Standards for Inspections. 1\n\n\n\n\n1\n  In January 2009, the President\xe2\x80\x99s Council on Integrity and Efficiency was superseded by the Council of\nthe Inspectors General on Integrity and Efficiency, Inspector General Reform Act of 2008,\nPub. L. No. 110-409 \xc2\xa7 7, 5 U.S.C. App. 3 \xc2\xa7 11.\n\n\n                                                  B-2\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                          SOCIAL SECURITY\nMEMORANDUM\n\n\nDate:      September 28, 2009                                                      Refer To: S1J-3\n\nTo:        Patrick P. O'Carroll, Jr.\n           Inspector General\n\nFrom:      Margaret J. Tittel /s/\n           Acting Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cProcessing Capacity of the Social Security\n           Administration\xe2\x80\x99s Durham Support Center\xe2\x80\x9d (A-14-09-19100)--INFORMATION\n\n\n           Thank you for the opportunity to review and comment on the draft report. We appreciate OIG\xe2\x80\x99s\n           efforts in conducting this review. Attached is our response to the report recommendations.\n\n           Please let me know if we can be of further assistance. Please direct staff inquiries to\n           Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n\n           Attachment\n\n\n\n\n                                                           C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cPROCESSING CAPACITY OF THE SOCIAL SECURITY\nADMINISTRATION\xe2\x80\x99S DURHAM SUPPORT CENTER\xe2\x80\x9d (A-14-09-19100)\n\n\nRecommendation 1\n\nAccelerate the use of the Durham Support Center (DSC) as a fully functioning data center--with\nparticular emphasis on using the DSC as the disaster recovery (DR) site for the National\nComputer Center (NCC).\n\nComment\n\nWe agree. The Accelerated Disaster Recovery Environment (ADRE) project is currently\nunderway. We allocated funds, awarded mainframe capacity acquisitions, and we project the\ninstallation of all equipment before the end of calendar year 2009. During fiscal year 2010, we\nexpect to conduct a recovery test of the NCC workloads in the DSC. In addition, we will be\nconducting an exercise using real data from our live production systems.\n\nRecommendation 2\n\nDevelop a comprehensive, long-range information technology (IT) strategic plan that (i) is\ntransparent and integrated within other SSA components, (ii) includes possible constraints and\nchallenges on all aspects of IT projects, and (iii) conforms to our strategic plan. This applies to\nagency-level and project-level strategic plans.\n\nComment\n\nWe agree. We will develop a comprehensive, long-range IT strategic plan that is transparent and\nintegrated. The plan will include possible constraints and challenges on all aspects of IT projects\nand will conform to our strategic plan.\n\nRecommendation 3\nFormally document the agency's plan to accelerate the use of the DSC as a part of SSA's overall\nDR plan and continually update the DR plan as the DSC and NCC replacement become fully\nfunctional. The updated DR plan should consider the viability of the DSC to maximize SSA\xe2\x80\x99s\nability to continue operations in the current as well as during the transition to the replacement\nNCC.\nComment\n\nWe agree. As stated in our response to recommendation 1, we have initiated the ADRE project\nwith an emphasis on recovering NCC workloads in the DSC. ADRE will deliver a SunGard-like\ndisaster recovery capability in the DSC. In 2009, our SunGard testing restored the targeted NCC\nenvironments in approximately 148 hours. Once we have demonstrated a process for recovering\nNCC workloads in the DSC, we will update our DR documentation accordingly. Further, as the\n\n\n                                                C-2\n\x0cInformation Technology Operations Assurance project progresses we will perform recovery tests\nin the NCC and update the documentation.\n\nRecommendation 4\n\nDevelop a policy to ensure that emergency instructions and plans, such as the Physical Security\nAction Plan (PSAP) and Occupant Emergency Plan (OEP), are completed for headquarters\nfacilities within at least the same time frame as required by the Administrative Instructions\nManual System (AIMS) Field Administration policy and complete the OEP and PSAP for the\nDSC.\n\nComment\n\nWe agree. We will incorporate a change to the AIMS General Administration Manual that will\nrequire completion of a PSAP for each headquarters facility. In addition, we are developing an\nOEP for the DSC. We will also complete a PSAP for the DSC.\n\nRecommendation 5\n\nFor future IT investments, monitor actual performance compared to expected results to ensure\nprojects meet agreed-upon budget and milestones.\n\nComment\n\nWe agree. For future IT investments, we will monitor actual performance compared to expected\nresults to ensure we meet agreed-upon budget and milestones.\n\nRecommendation 6\n\nFor future IT investments, ensure a risk assessment is undertaken to identify environmental risks\nassociated with the site location of new structures (that is, flood plain, hurricane, and tornado).\n\nComment\n\nWe agree. For future IT investments, we will conduct a risk assessment to identify\nenvironmental risks associated with the site location of new structures. In July 2009, we\nconducted an all-hazards risk assessment at the DSC.\n\n\n\n\n                                                C-3\n\x0cRecommendation 7\n\nAssess and appropriately address the security weaknesses identified in this review to ensure\nagency compliance with applicable Interagency Security Committee standards and our policy.\n\nComment\n\nWe agree. We have assessed all security weaknesses identified in this review and taken\ncorrective action.\n\n\n\n\n                                             C-4\n\x0c                                                                     Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Brian Karpe, Acting Director, Information Technology Audit Division\n\n   Mary Ellen Moyer, Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Jan Kowalewski, Senior Program Analyst\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-14-09-19100.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c"